healer | cb242d71c610774c46acb0e54b2ba749eaffbbbce811cb723cc0b543d4467561

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb242d71c610774c46acb0e54b2ba749eaffbbbce811cb723cc0b543d4467561.exe
Size

958KB
MD5

178e183fb6de99960fed8d8a12a59bbc
SHA1

fd2c974e88655caa7ab978bc328a59f40c68d76c
SHA256

cb242d71c610774c46acb0e54b2ba749eaffbbbce811cb723cc0b543d4467561
SHA512

47ffb128fa4a7926b4482ef84e0741047b4731daf05e6fa7e6c2f90cd85c5502b11d4b6a0b89af2a3c79a0fbba8ac020110f8cd82cc5a72775355ba3812b25cd
SSDEEP

24576:Zyy1iJwdaQbwHqzPm+ZbXpcQZfDUYishkH8m:M26iaQbwHqzPm6pcQZfflhA8

Score

10^/10

healer redline dark discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

dark

185.161.248.73:4164

Attributes

auth_value
ae85b01f66afe8770afeed560513fc2d

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/memory/4460-2150-0x0000000002900000-0x000000000290A000-memory.dmp	healer
behavioral1/files/0x0002000000022ae8-2155.dat	healer
behavioral1/memory/5196-2163-0x0000000000E90000-0x0000000000E9A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/memory/5628-4319-0x0000000005750000-0x0000000005782000-memory.dmp	family_redline
behavioral1/files/0x000a000000023b97-4324.dat	family_redline
behavioral1/memory/3492-4326-0x00000000000D0000-0x0000000000100000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	63965921.exe

Executes dropped EXE 5 IoCs

pid	Process
2244	un769920.exe
4460	63965921.exe
5196	1.exe
5628	rk276283.exe
3492	si117170.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cb242d71c610774c46acb0e54b2ba749eaffbbbce811cb723cc0b543d4467561.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un769920.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5464	4460	WerFault.exe	85
5788	5628	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb242d71c610774c46acb0e54b2ba749eaffbbbce811cb723cc0b543d4467561.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un769920.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	63965921.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rk276283.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	si117170.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
5196	1.exe
5196	1.exe
5196	1.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4460	63965921.exe
Token: SeDebugPrivilege	5628	rk276283.exe
Token: SeDebugPrivilege	5196	1.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 2244	4916	cb242d71c610774c46acb0e54b2ba749eaffbbbce811cb723cc0b543d4467561.exe	83
PID 4916 wrote to memory of 2244	4916	cb242d71c610774c46acb0e54b2ba749eaffbbbce811cb723cc0b543d4467561.exe	83
PID 4916 wrote to memory of 2244	4916	cb242d71c610774c46acb0e54b2ba749eaffbbbce811cb723cc0b543d4467561.exe	83
PID 2244 wrote to memory of 4460	2244	un769920.exe	85
PID 2244 wrote to memory of 4460	2244	un769920.exe	85
PID 2244 wrote to memory of 4460	2244	un769920.exe	85
PID 4460 wrote to memory of 5196	4460	63965921.exe	88
PID 4460 wrote to memory of 5196	4460	63965921.exe	88
PID 2244 wrote to memory of 5628	2244	un769920.exe	94
PID 2244 wrote to memory of 5628	2244	un769920.exe	94
PID 2244 wrote to memory of 5628	2244	un769920.exe	94
PID 4916 wrote to memory of 3492	4916	cb242d71c610774c46acb0e54b2ba749eaffbbbce811cb723cc0b543d4467561.exe	99
PID 4916 wrote to memory of 3492	4916	cb242d71c610774c46acb0e54b2ba749eaffbbbce811cb723cc0b543d4467561.exe	99
PID 4916 wrote to memory of 3492	4916	cb242d71c610774c46acb0e54b2ba749eaffbbbce811cb723cc0b543d4467561.exe	99

C:\Users\Admin\AppData\Local\Temp\cb242d71c610774c46acb0e54b2ba749eaffbbbce811cb723cc0b543d4467561.exe
"C:\Users\Admin\AppData\Local\Temp\cb242d71c610774c46acb0e54b2ba749eaffbbbce811cb723cc0b543d4467561.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un769920.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un769920.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\63965921.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\63965921.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4460
  - - C:\Windows\Temp\1.exe
      "C:\Windows\Temp\1.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5196
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 1152
      4⤵
      Program crash
      PID:5464
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk276283.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk276283.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5628
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5628 -s 1220
      4⤵
      Program crash
      PID:5788
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si117170.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si117170.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4460 -ip 4460
1⤵
PID:5424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5628 -ip 5628
1⤵
PID:4724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si117170.exe

Filesize
168KB

MD5
90789c3c9d215cf3a45650eac1a26d57

SHA1
ecded4087fa7fdbdb54ff7aad70bef472a09e507

SHA256
7592a690f1d50243c6428d24180f1f9038a670bed8d426a5463af3e110062685

SHA512
9b3f17cde1c5e2e5a24bf6a3b3ee7b293c1cc805f8d806c8764dfef06e35a391630831568ef58bf64603258e1f49a6c68cda5f076826f08f1df85d2621a67375

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un769920.exe

Filesize
804KB

MD5
5a8c5d74cf76561da34f988d302a177f

SHA1
f8f1d931ad9dd8c3af2ffa572b84d6e71d611f46

SHA256
34ecf6710098bb98810032ecc3de83153bf47f82f2e3b0de2a0e674d63914dce

SHA512
8647f19a66b7c4ea86f2e5760ab3401384d95858cd7b04fdab8e06927320fbcd7eb1ab3ebfe509663e9237d9879f20d2adc3b2115041120d406aaf889fa47e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\63965921.exe

Filesize
479KB

MD5
9fe2720edd9b9d6a26cba0dc828e5000

SHA1
d80277e9ce2af740d5459d7c7d457a407ab29a50

SHA256
68b41f12a24856c2829fef9b6333c93a903ff91b18a630ef71ccb7c5d704d748

SHA512
df0bdeb9bb20f5989a2faa04394d13e58627c5d529c21cb4ba99d0b4e72440f3a34d8067ef7c0ce06edd3a238389a6c0329735b2ec875e4eb609f7c7afc892eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk276283.exe

Filesize
539KB

MD5
041777e07c111d978557a6187a5d80a2

SHA1
3978e41b433f75f60e4993fb41453521fdef9bed

SHA256
f9cdc0d3406325aa794bdc3e2fef467e1cdff377d5d5c9a2ca5fcc1e0aa9ffdd

SHA512
21ec52cd3c261372f145effec2e866e8082af7c65aec4b54299b4b621d0e96a409622a46353b9ed8e170602a2c0664eea011f95bb0e94e2ecd6a36044b322fb5

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
memory/3492-4332-0x00000000043D0000-0x000000000441C000-memory.dmp

Filesize
304KB

Download
memory/3492-4331-0x000000000A010000-0x000000000A04C000-memory.dmp

Filesize
240KB

Download
memory/3492-4330-0x0000000009FB0000-0x0000000009FC2000-memory.dmp

Filesize
72KB

Download
memory/3492-4329-0x000000000A080000-0x000000000A18A000-memory.dmp

Filesize
1.0MB

Download
memory/3492-4328-0x000000000A520000-0x000000000AB38000-memory.dmp

Filesize
6.1MB

Download
memory/3492-4327-0x0000000002380000-0x0000000002386000-memory.dmp

Filesize
24KB

Download
memory/3492-4326-0x00000000000D0000-0x0000000000100000-memory.dmp

Filesize
192KB

Download
memory/4460-43-0x0000000004E80000-0x0000000004ED1000-memory.dmp

Filesize
324KB

Download
memory/4460-31-0x0000000004E80000-0x0000000004ED1000-memory.dmp

Filesize
324KB

Download
memory/4460-77-0x0000000004E80000-0x0000000004ED1000-memory.dmp

Filesize
324KB

Download
memory/4460-75-0x0000000004E80000-0x0000000004ED1000-memory.dmp

Filesize
324KB

Download
memory/4460-73-0x0000000004E80000-0x0000000004ED1000-memory.dmp

Filesize
324KB

Download
memory/4460-71-0x0000000004E80000-0x0000000004ED1000-memory.dmp

Filesize
324KB

Download
memory/4460-69-0x0000000004E80000-0x0000000004ED1000-memory.dmp

Filesize
324KB

Download
memory/4460-67-0x0000000004E80000-0x0000000004ED1000-memory.dmp

Filesize
324KB

Download
memory/4460-65-0x0000000004E80000-0x0000000004ED1000-memory.dmp

Filesize
324KB

Download
memory/4460-63-0x0000000004E80000-0x0000000004ED1000-memory.dmp

Filesize
324KB

Download
memory/4460-61-0x0000000004E80000-0x0000000004ED1000-memory.dmp

Filesize
324KB

Download
memory/4460-57-0x0000000004E80000-0x0000000004ED1000-memory.dmp

Filesize
324KB

Download
memory/4460-55-0x0000000004E80000-0x0000000004ED1000-memory.dmp

Filesize
324KB

Download
memory/4460-54-0x0000000004E80000-0x0000000004ED1000-memory.dmp

Filesize
324KB

Download
memory/4460-51-0x0000000004E80000-0x0000000004ED1000-memory.dmp

Filesize
324KB

Download
memory/4460-49-0x0000000004E80000-0x0000000004ED1000-memory.dmp

Filesize
324KB

Download
memory/4460-48-0x0000000004E80000-0x0000000004ED1000-memory.dmp

Filesize
324KB

Download
memory/4460-45-0x0000000004E80000-0x0000000004ED1000-memory.dmp

Filesize
324KB

Download
memory/4460-82-0x0000000004E80000-0x0000000004ED1000-memory.dmp

Filesize
324KB

Download
memory/4460-41-0x0000000004E80000-0x0000000004ED1000-memory.dmp

Filesize
324KB

Download
memory/4460-39-0x0000000004E80000-0x0000000004ED1000-memory.dmp

Filesize
324KB

Download
memory/4460-37-0x0000000004E80000-0x0000000004ED1000-memory.dmp

Filesize
324KB

Download
memory/4460-33-0x0000000004E80000-0x0000000004ED1000-memory.dmp

Filesize
324KB

Download
memory/4460-79-0x0000000004E80000-0x0000000004ED1000-memory.dmp

Filesize
324KB

Download
memory/4460-29-0x0000000004E80000-0x0000000004ED1000-memory.dmp

Filesize
324KB

Download
memory/4460-25-0x0000000004E80000-0x0000000004ED1000-memory.dmp

Filesize
324KB

Download
memory/4460-23-0x0000000004E80000-0x0000000004ED1000-memory.dmp

Filesize
324KB

Download
memory/4460-22-0x0000000004E80000-0x0000000004ED1000-memory.dmp

Filesize
324KB

Download
memory/4460-35-0x0000000004E80000-0x0000000004ED1000-memory.dmp

Filesize
324KB

Download
memory/4460-27-0x0000000004E80000-0x0000000004ED1000-memory.dmp

Filesize
324KB

Download
memory/4460-2150-0x0000000002900000-0x000000000290A000-memory.dmp

Filesize
40KB

Download
memory/4460-83-0x0000000004E80000-0x0000000004ED1000-memory.dmp

Filesize
324KB

Download
memory/4460-16-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4460-2165-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/4460-2166-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4460-85-0x0000000004E80000-0x0000000004ED1000-memory.dmp

Filesize
324KB

Download
memory/4460-15-0x0000000000A30000-0x0000000000B30000-memory.dmp

Filesize
1024KB

Download
memory/4460-17-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/4460-18-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/4460-19-0x0000000002840000-0x0000000002898000-memory.dmp

Filesize
352KB

Download
memory/4460-59-0x0000000004E80000-0x0000000004ED1000-memory.dmp

Filesize
324KB

Download
memory/4460-21-0x0000000004E80000-0x0000000004ED6000-memory.dmp

Filesize
344KB

Download
memory/4460-20-0x0000000004F70000-0x0000000005514000-memory.dmp

Filesize
5.6MB

Download
memory/5196-2163-0x0000000000E90000-0x0000000000E9A000-memory.dmp

Filesize
40KB

Download
memory/5628-4320-0x0000000005790000-0x0000000005822000-memory.dmp

Filesize
584KB

Download
memory/5628-4319-0x0000000005750000-0x0000000005782000-memory.dmp

Filesize
200KB

Download
memory/5628-2172-0x0000000004F60000-0x0000000004FC6000-memory.dmp

Filesize
408KB

Download
memory/5628-2171-0x00000000026E0000-0x0000000002748000-memory.dmp

Filesize
416KB

Download